Peter Spier

Managing Director PCI and Risk Assurance

Fortrex Technologies


ISACA Western New York Chapter

Oct 01, 2014 10:23PM


Why You Don?t (Do) Need to Be Compliant

People generally don?t like to be told what to do. Worse, when they have made a strong commitment to what exactly they believe to be prudent, learning that they may have miscalculated along the way can be a gut-wrenching experience. In fact, when they are forced to confront absolutes that are fundamentally different from their established beliefs, the process of working toward resolution can at times prove quite difficult. As a result, individuals in assessor or auditor roles frequently become what I term ?professional deliverers of bad news.? 

Consider the payment brand requirement that service providers be PCI DSS compliant. Visa?s Cardholder Information Security Program details that, ?In addition to adhering to the PCI DSS, compliance validation is required for all service providers.?[i]Similarly, MasterCard states, on its web page ?Site Data Protection and PCI,? ?MasterCard requires all Service Providers to be PCI Compliant.?[ii]Additionally, the Payment Card Industry (PCI) Security Standards Council (SSC) defines a service provider as a ?business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities....?[iii] 

Now, both Visa and MasterCard provide similar definitions of service providers.  Nevertheless, data center and web hosting providers are frequently certain that they need not comply. 

We just provide rack space and an Internet connection

Ok - you have physical access to customer cardholder data environments, and you provide a perimeter firewall to protect facility and tenant Internet communications, right? 

You?re a service provider. 

We only provide a hosted website to our clients, who may or may not process cardholder data. 

So, you manage a hosted application environment that includes initial provisioning and support for a shopping cart? 

You?re a service provider.

Though, per Visa,[iv]it is the responsibility of issuers and acquirers to use and ensure merchant use of PCI DSS compliant service providers, I cannot recommend enough that both compliance and periodic risk assessment requirements be added to your organizational third-party access and/or risk management policies. No, an SSAE 16 report alone is not enough.

Consider also the final HIPAA Security Rule, which was issued in 2003 with a 2005 deadline for compliance. Therein, requirement 164.308(a)(1)(ii)(B) states that covered entities must ?implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a).? The referenced 164.306(a) requirement further directs covered entities to:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4) Ensure compliance with this subpart by its workforce.

As such, it is entirely within reason to conclude, when in the course of risk assessment it is learned that the organizational patch management standard requires quarterly patching with vendor supported applications provided unwritten exception, that risks and vulnerabilities are not being reduced to a ?reasonable and appropriate? level that ensures compliance with 164.306(a). Nevertheless, many a covered entity believes that it is compliant, despite such a finding.

HIPAA does not include a specific patch management requirement.

True, but your server patch reports are identifying 89+ days? worth of critical security patches, and our vulnerability scan results are identifying multiple high-risk vulnerabilities. You are not compliant.

The vendor does not support current patches.

Did the vendor sign a confidentiality agreement committing to protect sensitive data?  Does the product as advertised cite tangible security benefits or regulatory adherence?  Has your own organization agreed to hold the vendor harmless in the event of a breach?  What does your patch management policy require again?

All of our peers of a similar size and complexity follow the same practice.

If one of your peers were to jump off a bridge?
And so it goes across a multitude of regulations, standards, and frameworks.  Where one says ?do not,? somebody has inferred an exception. Where one says ?ensure that,? somebody is certain that their efforts meet the requirement?s spirit and intent.
Taking a serious approach to risk management requires commitment.  Ensuring the security of the sensitive information within your custodianship requires consideration of risk.
In the end, there is little better than the process, based on the National Institute of Standards and Technology?s (NIST) Special Publication 800-30, of considering the likelihood and impact of a threat source or vulnerability when assigning risk, though the Common Vulnerability Scoring System (CVSS) should not be discounted in the process.  Further, compliance risks should near always be considered as high impact.
To help one come to terms with the frequently discomforting results of such efforts, perhaps we would each do best to consider the following five questions as we endeavor to plan our mitigation and compliance strategies with an eye toward what exactly is an ?accepted? risk and what is truly compliant.

1.       Does the strategy adhere to applicable standard, framework, or regulatory requirements as written?
2.       Do you have a plan that clearly details what you will do should the strategy not work?
3.       How would your actions affect customer and public perception should they garner media attention?
4.       Is there anything more that can reasonably be done?
5.       How would you feel if your own personal information was being protected in such a manner?


ISACA-WNY: Control and Compliance 2012 - 4/3 - Ira Winkler Key Note Presentation Notes

Repeatable processes are science not art
Knowledge is learned, skills are practiced
Repeatable processes can lead to reasonable information security
Impersonation via phone is fraudulent identity (felony) in California and some other states
100s of hacks occur per day but Anonymous is newsworthy
1988 Morris worm shut down 1/3 of the Internet.  Imagine that occurring today...
1997 Worcester Airport - wardialer use analogous to WarGames (1982)
Multiple historical cybersecurity events have been accomplished as a result of commonly known vulnerabilities that were preventable
2 ways to hack - take advantage of config problems or software vulnerabilities
Security should be common sense
Computers are more like cars than toasters, maintenance required
(Threat*Vulnerability)/Countermeasures * Value = Risk
Dedicated information security/risk management budget is better than it being a percentage of IT budget which may itself be dwarfed by relationship to total revenues
Multi-factor authentication will cost $2mil while saving $10mil in losses <-cost justification gets budget, ROI
2 teenagers in Cloverdale, California in ~2001 resulted in DoD Secretary announcing that it was experiencing significant, coordinated attack
Anonymous is akin to rodents poking heads in little holes as opposed to a great dragon.  HBGary was social engineering of password as opposed to high tech hack.  Persistence, but not complexity.
FUD is ok to get budget that will optimize risk levels
Cloud providers should adhere to client organizational policies, not clients to theirs.  Security is not server specific.
More people die weekly from heart attacks than did from Anthrax, but Anthrax changed behavior, creating terror
Terrorism is about terror, not damages
Little things cost billions, e.g., virus attacks result in millions but are downplayed
Security is management problem, must vs. should, CEO and CIO must be in sync (preferably on must)
Real moral of Wizard of Oz - you always had what you were looking for but didn't know how to use it <-security
Train workers to use common sense


ISACA-WNY: Control and Compliance 2011 - 4/5 - Marcus Ranum Key Note Presentation Notes

"why do we keep working so hard and accomplishing so little"

Budgets are going up, why aren't penetrations going down?

If we stopped spending, things would get immeasurably worse

Firewalls don't work?  You're installing it wrong.  If you're allowing everything through port 80, don't blame the firewall. 

Threat landscape is changing so quickly, battefield is shifting

The problem is complex, by the time that we understand it
 things change

In '90s, installing patches and a/v would solve security.  Now, Microsoft Patch Tuesday and a/v is still a focus, but good software development practices and configuration management is less so

Systems need internet access to be patched and then are exploited by bagel worm

Ranum uses unpatched Office 97 because it works

Game Over - In '00s, security was in the news and became expensive
Security professionals cried wolf too many times and became identified as a cost center despite trying to sell ROI

Cloud computing paradigm is now attractive as a result of '00s expensive security infrastructure build-outs and administration requirements

Use of thumb drives added complexity to finding data and ensuring its handling

Cloud computing builds dependency, will cost increase after dependency exists? 
Unix/Linux crushed Mainframes and then price increased
Suggestion: Do projection on cost savings and perform EOY analysis to see what is realized

2010s - Regulation and Advanced Persistent Threat (APT)

Cyberwar was fought and US lost to China without knowing it was happening

Compliance monitoring and auditing adds complexities to administration and redundancies to security operations

If A trusts B and B trust C, A trusts C and does not know it

APT is frequently malware and intelligence gathering

iPads and smart phones are "gift" to next generation of security pros, "toxic love canal", executives walking around with equivalent of "h-bomb on their hip:

Advanced Threat Management operation is needed to manage organizational data threats regardless of Cloud

Tabletop risk management drill can be useful to understanding threat response.  What would you do if your customer database was on eBay?

"Security is an expense that you pay to avoid a much bigger expense"

Southwest grounded all of their planes to save law suit expense and identified several other affected planes


Not All Data Is Created Equal

It seems that Wikileaks has become the cause-du-jour.  In late 2010, rabidinous supporters launched targeted cyberattacks in efforts to bring their own DDoS-flavored retribution upon dissenters. Working in the field of information security, it is difficult to not be whole-heartedly against both this position and method of ?support?. 

Data classification is the bedrock upon which information security best practices are founded. Without an understanding of what data is more sensitive in nature than other data, determining appropriate protection levels is folly. 

Should financial data be considered any more sensitive than e-mail correspondence?  Should Human Resource data be handled differently than a stock image archive?  Certainly.  Why?  Because corporations, and as we have most recently learned, banks and their account holders; can be damaged or otherwise placed at a competitive disadvantage by the unauthorized disclosure of their financial data. Because as individuals, the unauthorized disclosure of our SSNs or background check data can lead to identity theft among other long-term harm. It is the same reason why we cringe whenever we receive correspondence that begins, "We regret to inform you..." and blush when our personal correspondence or photos become public.

Therefore, the impact of the disclosure or breach of such data may fairly be considered to be justifiably high. The probability of its unauthorized disclosure or breach in this example is also recognizably influenced by the quality of controls protecting the data, inclusive of both the logical and physical.

Supposing that government or bank classification systems overprotect data in conflict with the right to public knowledge is to arrive at a belief without due consideration given to employed risk assessment metrics inclusive of probability, impact, and contributing risk factors. As such, the public, is at an unfortunate disadvantage in its ability to weigh the threat posed by unauthorized disclosure and astoundingly unqualified to speak to its need.

Consider this: If your fellow employee were to use their database access privileges to review your compensation package for use in their own salary negotiations, have they violated corporate trust?  If the same employee then were to e-mail your compensation package to a company-wide distribution list, have they violated your right to personal privacy?  If the same employee were to publish your compensation package to the web as they passionately argued that the information illustrates principles of corporate greed and the unfair labor practices of third world countries, have either corporate trust or your right to personal privacy been violated?  Did the worthiness of the cause justify the unauthorized action?

In the case of Wikileaks, Mr. Assange's alleged source of 260,000 United States State Department cables, 22-year old Army intelligence analyst Private Bradley Manning, despite the extensive background checks employed by the military prior to granting clearance, still allegedly found a need to share. Since then, it has been reported that former Swiss banker Rudolf Elmer, despite the due care similarly taken prior to granting his access, also felt compelled to admittedly share over 2,000 confidential records of account holders in violation of Swiss banking laws in supposed reaction to bank inaction regarding alleged tax crimes.  Further rumor of future release of internal banking documents have also been speculated to be pending.

While it can be certain that in post-breach lessons learned data, the United States government and banks around the world will pay closer attention to identity governance controls if not, at least, Data Loss Prevention considerations; the concept that it may be acceptable to flaunt organizational policy, state and federal laws, or even societal mores given personal belief in just cause is a slippery slope.  Any media outlet willing to be complicit further threatens to erode whatever journalistic integrity it may have otherwise possessed.

Finally, as we individually consider these, and what is likely to be many more cases of unauthorized disclosure of information, and come to determine our personal views on each; we may also wish to take a moment to consider exactly how we can be so concerned with our Facebook privacy settings and in the very same breath view the unauthorized disclosure of any other data with less severity.  For should we continue this course, our own information will one day too be ?wikileaked? to a chorus of believed justified ?supporters?.


An InfoSec Pep Talk

The information security savvy are frequently as immersed in their field of expertise as to commonly forgot just how much of best practices remains a mystery to the unindoctrinated.  Don?t think so?  Take a walk through any office space, retail storefront, or healthcare facility and think like a ?black hat? for a moment.  You see that pile of completed forms stacked over there?  How about that unshredded, unlocked recycle bin?  Are there really no physical controls around the fax machine?  Bingo!  An unlocked workstation!

Now, let?s think about the most recent security awareness class that your organization offered.  It probably reviewed password strength and complexity and phishing threats.  Hopefully, it also went into some detail regarding organizational security policy and how ?zzzzzz?.Why is it that whenever we get to policy part the audience keeps doing that?!

Ok, here?s the problem.  Most people want to do their jobs to the best of their ability and then go home.  Most people also despise change.  So, when the Information Security Department starts introducing controls that require people to change their behavior in order to do their jobs, it is frequently met with an acute case of the ?I don?t wanna!?s. 

Oddly enough though, today?s change is actually tomorrow?s accepted state.  Recall the late ?90s when you tried convincing your boss that a network firewall was needed to safely access the Internet.  After clearing budget review, end users likely flooded the help desk with calls as seemingly far-fetched as that their mouse was moving slow?ever since the firewall went in.  Today, network firewalls are commonplace as too should be the desktop variety.

The fact is that when Information Security proposes a control, policy, or process; it will likely be met with both skeptics and naysayers.  The ?we?ve always done it this way!?s and ?isn?t that overkill??s are frustrating and, at times, discouraging.  However, it is also the nature of the business.  Information Security is paid to consider the risk and to make the hard decisions that err on the side of caution.  In times of trouble, Information Security is also everyone?s best friend.

Don?t ever give up in your efforts to clearly communicate organizational security requirements.  Re-commit now to the value of your security awareness program.  Rinse.  Repeat.  Develop prioritized organizational security goals according to a three year plan and institute measurable benchmark to regularly assess current state and monitor performance.

Information Security hopes for the best while planning for the worst.  With enough supporting data your boss may even begin to realize exactly how much worse off the organization would be without it.


You Better Watch Out, You Better Not Cry...

I was watching the Early Show this morning.  I's a guilty pleasure.  It's just newsy enough for my mornings without being Good Morning America serious or Today Show pretentious.

With the holidays upon us, a story on phishing attacks was featured.  True to form, Harry Smith, was amazed by his guest as she described how she had sat in "a room full of world class experts" whom all had trouble identifying the phishing message due to its apparent authenticity. 

Hmm....I'm guessing that that lost something in translation.  It seems to me hard to believe that any "world class expert" would have such trouble decoding that a message indicating that the provider needs you to either reply or call with your details to "confirm" them would be anything but. 

Just the same, here are some basics to think about when you get such messages, texts, calls, or even in person queries:

  • How verifiable and credible is the requestor?  Does the sender of the message read or  Does your caller ID identify the call?  Does the person have identification?
  • What information is being asked for?  Honestly, when was the last time that your credit card company lost your account number?  Why would they or any merchant contact you directly to request your SSN in order to "verify" anything?
  • What information do they already have?  Most credit card issuers, banks, and merchants will already possess some identifying information on you and will seek to confirm what they have as opposed to asking you for what you have.  Now, this alone does not bring instant credibility.  However, if they are telling you your recent transaction amounts and dates, it is a step in the right direction.  Whereas, if they are telling you your street address and then asking for your account number or SSN, it should be viewed as highly suspect.
  • What is that agent's name and/or the assigned case number?  When in doubt, look up your credit card issuer's, bank's, or merchant's customer service number as found on your most recent invoice and call them directly with the agent name and/or assigned case number to confirm the request before providing anything.


Advice I Tell My Mom

I once read an article in USA Today where a victim of identity theft recounted his misfortune.  True to form, the experience had cost him near all of his available assets and a mountain of red tape to attempt to recover.  What struck me most was that his lesson learned was that he would never again use credit cards or participate in an e-commerce transaction.  Now, there is a guy walking around with a wad of cash.

Effectively, this man had shifted his risk.  Where once he was prone to credit card fraud, he is now a potential mugging victim, and his identity could still be stolen.

Might he have considered subscribing to a credit monitoring service as provided by one of the major credit card bureaus (Disclosure: I am not a fan of third-party credit monitoring solutions, myself)?  Might he have agreed to pay fractions of a cent per $100 to allow his credit card issuers to monitor the accounts for fraud?  Could he have selected a bank that themselves provided fraud monitoring to its account holders?  Could he have routinely reviewed his account balances and transaction history?

As we are not provided with details of the origination of the theft, might his computer have not had a basic firewall, current software patches, or updated virus protection?  May he have practiced poor information disclosure habits and succumbed to either a talented social engineer or been overheard providing sensitive information by the next customer in line?

Yes.  In each of these cases, yes!

Concerned with identity theft?  Concerned about all those nasty hackers out there?  Practice the basics.  Employ major credit bureau, credit card, and bank fraud monitoring.  Patch your system and run a current internet security suite.  Don't share sensitive information with unauthorized third-parties and take care to reasonably protect such disclosure when it is necessary.

Trust...but verify.


Risk to the Better Mousetrap

You've built a better mousetrap.  Congratulations! 

One thing - Bob needs it ahead of schedule for a very important client.  Can you accelerate production?

Oh yeah, we're short on budget for this project.  You're going to have to do with less.

Yeaaah....well, Sue is really a critical asset to the success of a new initiative of ours.  You're going to have to do it without Sue. 

Hey, this thing isn't going to hurt the anthropomorphic ones, right?  We don't want any trouble with Disney.

...and we're going to need you to come in on Saturday.

Security controls are often very good conceptually.  Then, the first constraint is identified and the control is still good.  Then, another constraint, another, and an exception.  Eventually, your mousetrap may moreso resemble a block of wood.